Cisco launches security patches against new attack

A new vulnerability threatens enterprise VPN and could allow network spoofing and Man-in-the-Middle attacks

Cisco has launched security patches for its widely used Internet Operating System(IOS) and Internet Operating System XE (IOS XE) software, in front of a forthcoming announcement of cybersecurity experts planning to reveal a flaw in the Internet Key Exchange protocol (IKE) used to configure IPSEC-protected VPN.

The network security company launched the patches as part of a cyber security organization event, where researchers will present details about new variants of IPsec IKE attacks that could threaten VPN large scale use, for example, industrial information exchanges and backhaul of wireless operators executed in the Cisco kit.

The attack is possible due to the reuse of a key pair in the first and second version of the internet key exchange protocol, IKE, IKEV1 and IKEv2, and it could allow an attacker to impersonate a network or conduct a Man-in-the-Middle attack against two parties.

“We demonstrate that reusing a key pair in different IKE versions and modes can cause attackers to avoid the inter-protocol authentication process, allowing them to impersonate a victim host or network”, the cyber security organization team explained. “In addition, we describe an offline dictionary attack against Pre Shared Key-based IKE modes, thus covering all of IKE’s available authentication mechanisms”.

As the experts point out, although IKEv2 replaced IKEv1, both can be deployed on all major operating systems and network devices, such as firewalls. They also found the same IKE flaws on devices from competing manufacturers, such as Huawei, Clavister and ZyXEL. This included the Huawei Secospace USG2000 series firewall.

According to cyber security organization experts from the International Institute of Cyber Security, along with the Cisco patch for the vulnerability, tracked as CVE-2018-0131, that affects IOS and its software IOS XE based on Linux, Huawei, Clavister and ZyXEL have launched a new firmware for avoid exploiting the vulnerability in their respective developments.

Cisco has rated the bug as a medium-severity problem. The problem only affects IOS, the most widely deployed software for CISCO switches and routers, and IOS XE software when the “authentication rsa-encr” option is enabled.

“Vulnerabilities in the implementation of RSA-encoded nonces in Cisco IOS software and Cisco IOS XE software could allow a hacker without authentication to remotely get the encrypted nonces of IKEV1 session”, Cisco explained.

“The vulnerability exists because the affected software responds incorrectly to the decryption failures. An attacker could exploit this vulnerability by sending specially crafted ciphers to a device configured with IKEV1 that uses nonces encrypted in RSA. If the vulnerability is successfully exploited it could allow the attacker to obtain the encrypted nonces”. The company comments that there is no record of the successful exploitation of this vulnerability for malicious purposes.